How to Create an Effective and Practical Password Policy

Businesses of all sizes need to control access to their local networks and email, to cloud-based services, and to other sensitive systems. That means assigning passwords to the people using these systems.

Obviously, longer and more complex passwords are harder to break. And the more often you change a password, the less time there is for an attacker to guess it. Everybody knows this, right?

Maybe so. But as ever, the devil is in the details. In general, the more “secure” a password is, the more of a hassle it causes the employee who has to use it. To take one extreme, the most secure password would be a very long, totally random sequence of letters, numbers, and characters that changed every day. But the burden such a policy places on employees almost always outweighs any security benefits.

At the other extreme, each employee could just use his or her own name as a permanent password that never changes or expires. That approach certainly makes life easier, but it barely offers any security.

Not surprisingly, real-world password policies tend to fall somewhere in the middle. But where?

To answer this question, first recognize that advances in computing technology mean that “strong” passwords aren’t as strong as they used to be. In October 2010, for example, one security blogger using readily available tools managed to crack a 14-character password in just 11 seconds. While the exploit isn’t quite as amazing as it sounds (the blogger exploited a weakness unique to a certain password encoding method), it still illustrates just how vulnerable even seemingly strong passwords can be these days to so-called “brute-force” attacks.

Furthermore, many security breaches these days are the result of phishing attacks, in which employees are somehow tricked into revealing their passwords. These types of attacks use “social engineering” tactics to convince victims that an attacker is actually a co-worker, superior, tech support employee, or some other authorized user. If the attacker is convincing, the victim voluntarily gives away his or her password. And a password that someone surrenders voluntarily is about as useful as no password at all.

Both of these factors are leading some security experts to challenge the conventional wisdom regarding random, frequently changed passwords. A recent study by a Microsoft researcher, for instance, concluded that in ignoring widely adopted password standards, “users show considerable wisdom from a cost-benefit standpoint: Choosing a strong password generates very little benefit to a user, but it does carry considerable cost.”

In other words, users doing the “wrong” thing when it comes to password security are making a more rational choice than users doing the “right” thing. It’s a powerful claim, and it should encourage businesses to consider exactly why and how they enforce password policies. On the other hand, it’s still true that strong passwords create a significant line of defense against attackers; doing away with them isn’t (and shouldn’t be) an option.

So, given all of these factors, how can your business create a practical password policy?

First, consider allowing employees to generate their own passwords, subject to some basic security guidelines, rather than requiring them to use passwords that you’ve assigned. Employees may also use password-generating websites to create passwords that are both secure and easy to remember; a visit to SafePasswd.com, for example, served up “cOnDoNe=7:” as an option for an easily remembered 10-character password. It’s a meaningless (and thus more secure) password, yet it also contains some natural clues that make it much easier to recall.

Another tactic is to generate a password based on an easily remembered rule; employees just need to remember the rule rather than memorizing every password they create. For example, you could start with a base password, like the first letters of the title of your favorite song or a combination of your kids’ initials. Then obscure it further by shifting your fingers one space over when you type it — “Oops I Did It Again” becomes “oIdIa” becomes “pOfOS.” Then add in some variation on the name of the service, like just the vowels, and intersperse them with the base password.

So for instance, to log in to SalesForce.com, your password might become “paOefoOeS.” Add a number or a character in the middle — “pa2OefoOeS” or “paO!efoOeS” — and you have a password that’s hard to memorize (or crack) but still possible to remember without writing it down.

Probably the easiest approach, though, is to equip a company’s employees with password management software. Such software can generate highly secure passwords and store them, eliminating the memorization problem. These tools can even automatically fill in the right password on a login screen and store other information such as names, addresses, and credit card numbers. (It’s true that Mac OS X and Windows have password managers built in, but they’re not as flexible as dedicated software, and they don’t include password generators.)

Popular password management software choices include Agile Web Solutions’s 1Password for Windows, Mac, and mobile devices; the open source KeePass and KeePassX for multiple platforms; RoboForm for Windows; and Ascendo’s DataVault for Windows, Mac, and mobile devices.

Once everyone has their passwords (or a way of generating them), experts recommend establishing a “three strikes” policy for login attempts. In other words, once someone enters an incorrect password three times, they’re locked out of the system until they contact an administrator. This may annoy some users (especially the forgetful ones!), but it protects your systems against brute-force attacks that need thousands or even millions of attempts to guess a password successfully.

Finally, it’s worth repeating that some of the biggest threats to password security these days don’t come from password-cracking tools; they come from phishing and social engineering attacks. As a result, your business should always train employees to recognize and avoid these kinds of scams. Ultimately, the best solution to password security isn’t just a matter of technology, it’s also a matter of good training, employee awareness, and plain old common sense.